WormGPT - How cybercriminals use the AI tool

Tarek Baish

13. Sep 2023 | 2 min.

The introduction of ChatGPT generated a lot of hype; after only five days there were more than one million users. After two months, there were already over a hundred million users.

Artificial intelligence (AI) can make many things possible and can be used in different ways. On the one hand, it simplifies everyday life, but on the other hand, cybercriminals have also discovered AI for themselves and their scams. It is used for the development of new malware, vulnerability analyses, exploits and especially for phishing e-mails. The developers of ChatGPT have already set limits to the technology to restrict illegal and unethical uses, which is not easy with the automatic “learning process” of artificial intelligence.

However, cybercriminals are often able to circumvent these limits, e.g. through so-called “jailbreaks”. This involves tricking the AI into overstepping its boundaries and revealing illegal information. This is just one of many ways AI is used by cybercriminals.


What is WormGPT?

A new AI technology has spread among cybercriminals called WormGPT. It is based on the open-source GPT-J language model and takes phishing attacks to a new level by using Business E-mail Compromise (BEC) as an attack vector. The tool can be used to create texts that are tailored directly to the victim and make a particularly convincing impression by using human-like features. The AI enables the attackers to create e-mails in different languages and perfect them for illegal purposes

„The developers of ChatGPT have already set limits to the technology [....] which is not easy with the automatic "learning process" of artificial intelligence.“

How to minimize the risk

The risks can be prevented with a holistic cyber security strategy. First and foremost, intrusion and detection systems (IDS / IPS), which can be operated in the company’s own IT or also used by service providers, protect against AI-based attacks. These systems detect data streams in the network that differ from normal operation and generate an alarm message in the system.

A much more precise solution for the detection of anomalies is the introduction or use of a Security Operation Centre, or SOC for short. The SOC has the task of monitoring and analyzing threat states and, if possible, initiating countermeasures.

The use of a SIEM or SOAR solution also helps to detect and defend against attacks. A SIEM is a system that detects anomalies and triggers an alarm but requires a manual response. This is in contrast to SOAR, which also receives alerts but responds automatically to prevent the threat.

It is also crucial to implement effective preventive measures. Other strategies that companies can use to detect attacks include specific training aimed at “business email compromise”, for example. Companies should therefore develop comprehensive, regular and up-to-date training programmes that target AI-based BECs. As an ongoing part of professional development, these trainings should highlight the methods and approaches of cybercriminals to better understand the tactics of attackers.

Sources and Inspiration (Status 29.08.2023) (Status 29.08.2023)